Category: Security & Privacy

Google fixes another 0-day exploit in Google Chrome

Posted on by Martin Brinkmann

Google has released quite a few security updates for its Chrome web browser in recent months. Besides the weekly scheduled security updates, Google has released updates to address 0-day vulnerabilities in Chrome.

Today, Google released another security update for Google Chrome to address a 0-day exploit. The issue affects all desktop versions of Chrome and Chrome for Android.

Chrome users may want to install the update immediately to fix the issue. Here is how that is done on desktop systems (there is no option to speed up the installation of Chrome updates on Android):

  • Load chrome://settings/help in the Chrome address bar.
  • Chrome displays the current version and runs a check for updates.

Updates will get installed automatically at this point, but you need to restart the browser manually to complete the update.

Chrome should return the following version after installation of the update:

  • Chrome for Windows and Mac: 125.0.6422.112 or 125.0.6422.113
  • Chrome Extended Stable for Windows or Mac: 124.0.6367.233
  • Chrome for Linux: 125.0.6422.112
  • Chrome for Android: 125.0.6422.112 or 125.0.6422.113

About the Chrome security vulnerability

The official release notes page lists basic information about the vulnerability only. It is CVE-2024-5274, a Type Confusion in V8 issue. Google has rated the vulnerability as high and notes that it is exploited in the wild.

V8 is the JavaScript and WebAssembly engine that Google Chrome uses.

In other words, systems with an outdated version of Chrome may be successfully attacked. It is unclear how the issue can be exploited, however.

The last update that fixed a 0-day vulnerability in Google Chrome was released just 2 weeks ago. It is the 8th 0-day exploit fix in Chrome in this year alone.

Chrome 124 0-day security update

Google fixes Chrome security issue that is exploited in the wild

Posted on by Martin Brinkmann

Just days after the weekly Google Chrome security update comes another security update for the web browser. This one unscheduled, as it fixes a 0-day security issue in Google Chrome that is exploited in the wild.

Google Chrome users should update the browser immediately to protect the browser and their data. Here is how that is done:

  • Open Google Chrome on a desktop system.
  • Select Menu > Help > About Google Chrome.

The browser displays the current version and runs a check for updates. It should pick up the security update and install it automatically.

Windows users may also launch a command prompt window and run winget upgrade Google.Chrome.EXE to update the browser to the latest version.

One of the following versions should be displayed by Chrome after installation of the update:

  • Chrome for Windows or Mac: 124.0.6367.201 or 124.0.6367.202
  • Chrome for Linux: 124.0.6367.201
  • Chrome Extended for Windows or Mac: 124.0.6367.201

The Chrome 0-day security issue: what we know

Google reveals little about the security issue on the official Chrome Releases website.

[N/A][339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07

Google is aware that an exploit for CVE-2024-4671 exists in the wild.

The security issue is rated high and it is a use after free in Visuals. It was reported to Google on May 7, 2024, which means that it could have been exploited at least since that date. It is unclear how this issue can be exploited.

Other Chromium-based web browsers are also affected by the issue. This means that browsers such as Microsoft Edge, Vivaldi, Brave, or Opera are all vulnerable until an update is released.

Expect updates for these browsers in the coming hours and days.

Chrome on Android does not seem to be affected by the issue, as Google has not published an update for the browser or made an announcement on the releases blog regarding the platform.

When do you update browsers?

AI

AI is capable of creating exploits from public CVEs

Posted on by Martin Brinkmann

AI tools are capable of writing exploits for publicly disclosed security vulnerabilities.

A team of University of Illinois researchers analyzed the capabilities of different Large Language Models in this regard. It found out that OpenAI’s GPT-4 managed to create exploit code for 87% of the tested vulnerabilities.

The figure dropped to 7% without access to the CVE description. Other AI models, including GPT-3.5, could not create any exploits based on public CVEs.

The researchers note:

When given the CVE description, GPT-4 is capable of exploiting 87% of these vulnerabilities compared to 0% for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit).

The researchers did not put other large language models to test. Google Gemini or Claude 3, for example, were not part of the test.

How the tests were conducted

The researchers selected 15 day one vulnerabilities from the Common Vulnerabilities and Exposures database for the test. All vulnerabilities were reproduced in “highly cited academic papers” according to the research paper.

The single large language model agent that the researchers created gave the AI access to tools, the CVE description, and the ReAct agent framework. Tools included capabilities to browse the Internet and activate elements, a code interpreter, and file creation.

Then agent consisted of a total of 91 lines of code according to the researchers.

AI is improving, but there are challenges

OpenAI’s GPT-4 large language model managed to create exploits for 87% of the 15 vulnerabilities. That’s a huge jump from GPT 3.5’s 0%.

The researchers have verified that — at least one — large language model is now capable of creating exploit code based on publicly available information.

While GPT-4 performed well in tests, it experienced its fair share of challenges as well. The detailed description of one vulnerability was provided in Chinese only, which the researches believe might have confused the AI, as the prompt given to it was provided in English.

The second vulnerability that GPT-4 could not crack required navigating a site using JavaScript navigation.

The researchers conclude that large language model providers and the cybersecurity community should take these capabilities into consideration, especially in regards to defensive measures.

Closing Words

The capabilities of large language models have increased significantly since the first release of ChatGPT last year. The capabilities will improve further in the coming months and years.

It is likely that threat actors will use large language models to automate processes. Exploits may be used sooner as a consequence by a wider pool of threat actors.

What is your take on this? Will we see an increase in exploit code in the coming years?

approve sign in request

You can now sign in to Microsoft accounts using Outlook

Posted on by Martin Brinkmann

Microsoft’s Outlook app may now be used to sign in to Microsoft accounts and services. How useful is the new functionality?

Sign ins to accounts on the Web or locally on devices are still a major nuisance for users. If you follow security guidelines, you pick a secure unique password for each service, and preferably, enable two-factor authentication as well.

Passkeys promise an improvement, but most Internet services and operating systems do not support this yet fully.

Microsoft has now enabled authentication functionality in its Outlook app to improve the login flow and make it more secure for certain setups. Classic two-factor authentication options such as text messaging are insecure, as the code is submitted in clear text.

Using the Outlook app for authentication

The main idea here is to use Outlook to verify the sign in. It works similarly to Authenticator apps, including Microsoft Authenticator.

Here is the entire process:

  1. You submit your username and password to sign in to your Microsoft account. This can be in Microsoft 365, OneDrive, Teams, or even Microsoft Windows.
  2. Microsoft displays a number on the next screen and prompts you to check your Outlook app.
  3. You need to tap on the right number, out of three presented to you, in the Outlook app.
  4. You then need to allow this using biometric or PIN verification.

Why is Microsoft introducing the functionality?

Microsoft Authenticator offers this functionality already. Why then is Microsoft introducing it in Outlook? Microsoft does not say in the official announcement.

The most likely reason is reach. Microsoft Authenticator has over 100 million downloads on Google Play, which is impressive for such an app. Microsoft Outlook, however, has over 1 billion downloads on Google Play alone. While a good portion of these downloads are not active, it is still likely that the Outlook app has a bigger reach than the Authenticator app.

Microsoft can reach ten times as many users in Outlook. To make things even simpler, the company is enabling the new functionality automatically in the latest Outlook app.

Microsoft says:

This sign-in verification functionality will be automatically enabled when you use the latest version of the Outlook app.  

In other words, if you use the Outlook app on Android, it sounds as if you have two factor authentication enabled automatically for your account. I have the app installed, but cannot verify this at this point because of Microsoft’s rollout of the feature.

There is a chance that this functionality becomes available only to users who have two-factor authentication enabled already for their accounts. This would improve the process, if they use weaker verification options, such as text messages.

Closing Words

Microsoft’s Authenticator app offers advantages over the Outlook implementation. Microsoft notes that users of the Authenticator app can continue using it. The app supports adding different accounts as well, while the Outlook app is limited to securing Microsoft accounts.

Microsoft says that the functionality is rolling out to all Android users. An iOS update is in development already and will be launched in the future.

Do you use two-factor authentication to improve account security?

Cookies

Cookie stealing may soon be a thing of the past

Posted on by Martin Brinkmann

Google is working on a new security feature for the Web that aims to protect users against cookie theft malware better. Called Device Bound Session Credentials (DBSC), its main purpose is to bind cookies to the user’s device.

To better understand this, it is necessary to analyze the current situation. When you sign-in to a web service, a cookie is usually saved to the local system. This session cookie may then be used in future sessions. The effect is that you do not need to sign-in again, as this has been done in the past.

Cookies expire eventually, but until that happens, they may be used. One of the problems that arises is that cookies may also be used on other systems. This is what makes them attractive to criminals. If they manage to get their hands on session cookies, they may access the service without authentication.

A subtype of malware is designed to find and extract cookies from user systems. While this requires access to the user’s system in one way or another, it is a fairly common type of attack.

Device Bound Session Credentials

As the name implies, Device Bound Session Credentials limit cookies to individual devices. If you sign-in to a web service, the boundary is your computer (or a particular application). Anyone stealing the cookie cannot use it to access the account on another device, thanks to the new protective system.

Google explains:

By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.

Google admits that attackers may still get value out of attacks, but only if they act on the user system thanks to the boundary.

Technically, DBSC uses key pairs that are created when a new session starts. The private key is stored by the operating system and protections such as TPM help protect the keys against attacks. Servers may associate sessions with the public key; this ensures that a session is still on the original device.

Google notes that there is no “persistent user tracking” as sites may not “correlate keys from different sessions”. Keys may also be deleted at any time using the browser, e.g., Chrome’s option to delete site data.

Going forward

Google has open sourced the project and plans to make it a public standard. It is already experimenting with a prototype in Chrome Beta that protects Google Account users. Some companies, including Microsoft, have expressed interest already in DBSC.

You can check out Google’s post on the Chromium blog for an overview or the technical explainer on GitHub for additional information.

Firefox 124.0.1

Firefox 124.0.1 fixes two critical security issues

Posted on by Martin Brinkmann

It has been just a few days since the release of Firefox 124.0, but here is Firefox 124.0.1 already. Usually, when this happens, it is either a security update or a bug fix update that address major issues.

It is a security update in the case of Firefox 124.0.1. The official release notes include just two words: “Security fixes”. The issue affects desktop versions of the web browser. It is unclear if the Android version is also affected. There is no release notes page for Firefox 124.0.1 for Android at the time of writing.

The security advisory page lists two security issues that Mozilla addressed in the Firefox update. Both have a severity rating of critical, which is the highest severity rating available:

  • CVE-2024-29943: Out-of-bounds access via Range Analysis bypass
  • CVE-2024-29944: Privileged JavaScript Execution via Event Handlers

Both security issues were reported to Mozilla by Manfred Paul via Trend Micro’s Zero Day initiative.

The first security issue could allow an attacker to “perform an out-of-bounds read or write” on JavaScript objects by “fooling range-based bounds check elimination”.

The second issue allows an attacker to “inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”.

Without going into too many details on the issues, they’d allow an attacker to execute JavaScript code or control JavaScript objects in the Firefox web browser.

Mozilla does not reveal if the issues are exploited in the wild. It is a good idea to update Firefox Stable installations as soon as possible to protect the browser from potential attacks targeting the vulnerabilities.

Updating Firefox

The security update is available already. While most Firefox installations will get updated automatically, cautious Firefox users and system administrators may want to speed up the installation of the update.

Here is how this is done:

  1. Open the Firefox web browser.
  2. Select Menu > Help > About Firefox.
  3. Firefox displays the current version. It should pick up the update at the same time. In other words, it is downloaded and installed automatically.
  4. A restart of the browser is required to complete the process.

Repeat the steps above and you should see Firefox 124.0.1 listed as the version on the about page.

Firefox is also available on the Mozilla website. Click here to open the download page and download the latest version to the local system.

Google

Google turns Safe Browsing real-time checks on in Chrome

Posted on by Martin Brinkmann

Announced last year, Google has now enabled real-time Safe Browsing checks in its Chrome web browser.

Safe Browsing is a security component of the Google Chrome web browser. Its main purpose is to warn users about malicious websites or downloads. This includes protections against known phishing websites and malware.

Google Chrome used a local list of known malicious sites by default previously. This list was updated every 30 to 60 minutes by the browser. This meant that there was a short period in which new known threats were not blocked by the browser.

Google calculated that “average malicious” sites exist for less than 10 minutes. In other words, a good portion of malicious sites do not exist anymore when Chrome updates the local Safe Browsing list.

Chrome users could switch the security setting to enhanced to get real-time checks. This new real-time checking of threats is now available in all Safe Browsing modes.

Safe Browsing changes

Chrome Safe Browsing

Google Chrome uses a Safe Browsing list on Google servers now to check any site that is getting opened against it. This improves the protection of users. Google estimates that this should improve the blocking of phishing attempts by 25%.

The change is rolling out to Chrome desktop users already. Android will also get the change “later this month” according to Google.

The option to enable Enhanced Protection is still available. This includes real-time checks as well, but also use of “AI to block attacks, provides deep file scans and offers extra protection from malicious Chrome extensions”.

What about privacy?

Google says that the new real-time nature of Safe Browsing checks is privacy-preserving.

Here is what happens in Chrome when a site is visited (according to Google):

  1. The cache is checked to see if the site is known to be safe already.
  2. If it is not in the cache, Chrome needs to check it against the remote Safe Browsing list.
  3. Chrome starts by obfuscating the URL locally into 32-byte full hashes.
  4. The hash is then truncated into 4-byte long chunks.
  5. These are encrypted by Google Chrome and transferred to a “privacy server”.
  6. The privacy server removes “potential user identifiers” before forwarding the encrypted hash chunks to the Safe Browsing server.
  7. There the data is decrypted and checked against the database.
  8. If a match is found, Chrome shows a warning to the user.

Google entered into a partnership with Fastly to “operate an Oblivious HTTP privacy server” that sits between the Chrome web browser and Safe Browsing.

The main idea behind Oblivious HTTP is to block the receiving server from linking requests to specific clients. Google published a blog post on the Chrome Security blog that offers additional information on the implementation in Chrome and server infrastructure.

Closing Words

Real-time checks should improve protection for users without impacting their privacy. Other browsers who also use Safe Browsing may not be affected by the change if they download Safe Browsing lists instead of using real-time checks.

Those who use Chrome but do not want these real-time checks can turn off Safe Browsing

Google Chrome

Google says it has optimized Safe Browsing in Chrome

Posted on by Martin Brinkmann

Safe Browsing is a core security feature of Google’s Chrome web browser. The technology is also used by other browsers, often indirectly to improve privacy.

Google revealed in a new post on the Chromium blog that it has optimized Safe Browsing checks in the Chrome web browser.

The changes bring a performance boost to Safe Browsing checks thanks to the use of asynchronous checks. Some checks are also reduced to reduce their impact on the page loading time.

Safe Browsing: Asynchronous checks

Safe Browsing checks block pages from loading. This is a security precaution to ensure that malicious content is blocked before it can be loaded by the Chrome browser.

This is usually not a problem for local checks according to Google. Checks on Internet websites, on the other hand, add latency to the loading of the page.

Google Chrome 122 enables asynchronous Safe Browsing checks. This allows sites to load content during checks. Google says that this will reduce page load times in Chrome and improve the overall user experience.

Chrome continues to show a warning page if Safe Browsing determines that a page or one of its resources is problematic.

There is also potential for improving new artificial intelligence and machine learning algorithms “to detect and block more phishing and social engineering attacks” according to Google. These experiments could affect the page loading time further in the past.

Risks associated with the change

Since pages may load while Safe Browsing checks take place, there is a chance of attacks.

Google says that it has evaluated two common attack types and concluded that sufficient mitigations are in place:

  • Phishing and social engineering attacks — Phishing sites may load while checks are still ongoing. Google believes that it is unlikely that users will have the time to interact with the site in a way that would impact security. Selecting a password field and typing the password, for instance, should take longer than the Safe Browsing check.
  • Browser exploits — Chrome has a local list of sites that attack using browser exploits. Checks continue to be made asynchronously and Google recommends keeping Chrome up to date to block most attacks from being effective.

Sub-resource and PDF checks

Two additional checks are listed by Google that are impacted by the optimizations.

  • Sub-resource checks — attacks using sub-resources are declining, according to Google. New protections, including intelligence gathering, threat detection, and Safe Browsing APIs, protect users in real-time without specifically needing to check sub-resources. As a consequence, Google Chrome will no “longer check the URLs of sub-resources with Safe Browsing”.
  • PDF download checks — Google reduced the frequency of PDF download checks. PDF documents were used for attacks in the past, but widespread attacks are rare thanks to improvements to Chrome’s PDF viewer. Google notes that most PDF files use links for attacks. These link may open in Chrome, which gives Safe Browsing a chance to block the attack.

Closing Words

Chrome Safe Browsing

Google benefits from the reduction in changes. PDF checks alone reduce Safe Browsing checks “billions of times” each week. The removal of checks may push certain forms of attacks again. Sub-resource attacks may see a revival as malicious actors find new ways to exploit the change.

Chrome users may check the browser’s Safe Browsing preferences under chrome://settings/security. There they find the two main options — standard and enhanced protection — as well as an option to turn off the security feature entirely.

Patch

0Patch patches Windows vulnerability that Microsoft did not consider “patchworthy”

Posted on by Martin Brinkmann

Not every Windows vulnerability requires patching according to Microsoft. When Microsoft analyses reported vulnerabilities, it may conclude that a vulnerability does not meet the bar for servicing.

Exactly this happened to a security researcher recently who reported a Windows Event Log vulnerability to Microsoft. Successful exploitation of the vulnerability results in a crash of the Windows Event Log service. The vulnerability requires authentication but no special user privileges. Attacks may crash the service on local or remote devices.

The vulnerability affects Windows 10 and Windows Server 2022 devices according to the researcher. 0Patch discovered later that it affects more Windows systems. On the client side, all Windows operating systems starting with Windows 7. On the server side, all Windows server operating systems starting with Windows Server 2008 R2.

The researcher published a proof of concept of the vulnerability on GitHub. A short demo GIF is also available there.

0Patch steps in, creates free micro-patch

Micro-patching service 0Patch analyzed the issue. It discovered that the proof of concept was “remarkably simple” and that attacks did not take more than a second to execute.

The Windows Event Log service restarts if it stops, but this happens only twice according to 0Patch. Attackers may run the attack multiple times to stop it for the session.

No events are logged when the service is not running. This means that events cannot be read either while the service is down. 0Patch notes on its website that Windows keeps a separate record of security and system events when the logging service is down.

These are added to the log when it is up again. Company engineers discovered that the information persists across sessions, but that it gets lost when the system crashes.

To sum it up: a successful attack, which includes a crash of the system in the end, may prevent the logging of any events on the system. This makes forensic work difficult on attacked systems and may be exploited by malicious actors to cover their tracks even better.

0Patch writes:

During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks – password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker’s favorite whoami – without being noticed.

0Patch created a free micro-patch that addresses the vulnerability in all affected versions of Windows.

The patch requires the installation of 0Patch Agent on affected systems. 0Patch continues to support some Windows systems that Microsoft does not support anymore. Windows 10 will also receive extended support by 0Patch, but also by Microsoft through its Extended Security Updates program.

Additional information, including vulnerability and patch details, are available on the 0Patch website.

Closing Words

Whether it is necessary to patch the vulnerability depends on risk assessment. Most home users are not targeted by sophisticated attacks, but this may be different for organizations.

The patch is free at the moment and it will stay that way. Only the release of an official patch by Microsoft may change that in the future.

PlayStation

PlayStation Network: passkey support coming soon

Posted on by Martin Brinkmann

PlayStation users may soon protect their account with a passkey. A support page is already available on the official PlayStation website, but some of the functionality is not yet usable.

Passkey is a new technology that promises to be more secure than username and passwords. One of the main advantages is that passkeys are created locally. Private information that is essential for the authentication process stays local. This means that attackers may no longer use phishing attacks to take over accounts. Other attack types, including server breaches or network spying, will also become useless in this regard.

When users create accounts with a password, a hash of the password is stored on the company’s server. This hash may be turned back into the password. The effectiveness depends on the strength of the user password and other parameters.

Passkeys offer another advantage: they remove the need to type passwords. While that may not be such a problem on computers, especially if password managers are used, it can be a nuisance when signing in to the PlayStation.

While there is more to security than strong passwords and two-factor authentication, or passkeys, it is without doubt of high importance.

PlayStation Network: Passkeys support

PlayStation Network: passkey support

The official passkey page on Sony’s website describes the security feature. The prominent “activate now” button opens the security settings on the PlayStation website.

The option to generate a passkey is not yet available. The link to the FAQ returns a 404 not found error at this time. It is unclear when the functionality becomes available, but it cannot be long before Sony makes an official announcement.

Some information is revealed on the landing page. Sony writes:

A passkey is a password replacement that provides faster, easier, and more secure sign-in to your account for PlayStation Network. It allows you to access your account without a password. Instead, you sign in through your mobile device or computer using the same convenient device screen unlocking method like a fingerprint, face scan or PIN.

Once set up, PlayStation users may sign-in to their account using the passkey. Passkey support may be limited to biometrics or a device PIN. It is unclear if Sony plans to support hardware security keys as well.

These keys, like the Google Titan Security Key, are inserted into USB ports for authorization. Some have buttons that users need to press to complete the authentication process.

Sony confirms that the PlayStation 5 and the older PlayStation 4 will support passkeys.

Closing Words

More and more Internet services and companies add support for passkeys. It is an excellent new system that promises protection against common threats. While that is the case, there are things that make it less usable in some cases. Since passkeys are created on the local device, it may be necessary to generate them on all devices, copy them or find a way to sync them.

Now You: do you use passkeys already?